Bug#700610: bsh (BeanShell) security vulnerability (CVE-2016-2510)
Emmanuel Bourg
ebourg at apache.org
Fri Feb 19 13:32:21 UTC 2016
Hi Stian,
Thank you for the notice. Technically this isn't a vulnerability in bsh
though, the issue is any application deserializing untrusted data
without sanitizing it and having bsh on the classpath. I'm not aware of
such applications in Debian, but if there is one it should be fixed in
priority instead of playing whac-a-mole with the serialization code in
the 800+ Java libraries in Debian.
Regarding your fork on GitHub, did you get the authorization from the
original author (Patrick Niemeyer) to change the license from LGPL-2 to
Apache-2.0? Also why was the Maven groupId changed from org.beanshell to
org.apache-extras.beanshell?
Emmanuel Bourg
More information about the pkg-java-maintainers
mailing list